<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div><div>Hello,<br><br></div>I am trying to establish ipsec tunnel between two linux boxes using certificates.<br></div><div>Client is on strongswan-5.1.1 and Server is on strongswan-5.2.0<br>
</div>Also strongswan client is asking for a virutal ip.<br><br>There are two levels of certificate Authorities. <br></div>I have placed both Root Certificate and SubCA certificate in /etc/ipsec.d/cacerts,<br></div>Device certificate is in /etc/ipsec.d/certs, Device key in /etc/ipsec.d/private<br>
</div>This, I have done in both the boxes.<br><br></div><div>In both client and server,<br></div>/usr/sbin/ipsec listcacerts <br></div>is listing both Root and SubCA certificate<br><br></div>/usr/sbin/ipsec listcerts<br></div>
is listing device certificate properly.<br><br><br></div>When ike session is initiated from client,<br><br></div>IKE_SA_INIT and IKE_SA_INIT_RESPONSE happen properly.<br><br></div>Later IKE_AUTH from client gets fragmented at ip level, 2 fragments are sent and are received by server. Server authenticates the client and is able to establish the root of trust.<br>
<br></div>But server is sending only one certificate(Device cert) in IKE_AUTH, because of which client fails to establish the root of trust. <br>I see that all packets from server are having DF bit on. Is this the reason why server sends only one certificate in IKE_AUTH ?<br>
<br></div>How to overcome this situation ?<br><div><div><div><div><br><div><div><div><div><div>Any help in this regard is appreciated.<br><br>Regards,<br>Sriram<br></div><div><div><div><div><div><div><div><br><br></div></div>
</div></div></div></div></div></div></div></div></div></div></div></div></div></div>